FORUMS
Remove All Ads from XDA

[5.0+][ROOT][3.2.0-BETA] AFWall+ IPTables Firewall [03 JULY 2019]

1,424 posts
Thanks Meter: 4,764
 
By ukanth, Recognized Developer on 26th October 2012, 05:41 PM
Post Reply Email Thread
27th May 2019, 10:18 AM |#5401  
Member
Thanks Meter: 29
 
More
Quote:
Originally Posted by Estebanium

Can someone tell me the reason for the usage of slashes in ip addresses?
For instance: 224.0.0.0/4

CIDR is the short for Classless Inter-Domain Routing, an IP addressing scheme that replaces the older system based on classes A, B, and C. A single IP address can be used to designate many unique IP addresses with CIDR. A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP network prefix. CIDR addresses reduce the size of routing tables and make more IP addresses available within organizations.
https://www.ipaddressguide.com/cidr
The Following 2 Users Say Thank You to vip5912 For This Useful Post: [ View ] Gift vip5912 Ad-Free
 
 
29th May 2019, 09:00 AM |#5402  
Member
Thanks Meter: 29
 
More
Quote:
Originally Posted by eriol1

Just updated to 2.9.9
Had to disable/enable log service before toasts started showing up. Other than that everything's great so far.
Love the dual app support.
I'm using island for dual apps and afwall is doing exactly what I would expect.
Thanks.

ver. 3.1.0
Do you check Dual Apps opt only or Multi-User opt also?
Do you clone AFWall+ to Island?
29th May 2019, 09:54 AM |#5403  
Senior Member
Thanks Meter: 63
 
More
Quote:
Originally Posted by vip5912

ver. 3.1.0
Do you check Dual Apps opt only or Multi-User opt also?
Do you clone AFWall+ to Island?

Only dual apps.
Did not clone afwall to island.
When dual apps is checked in afwall, cloned apps appear in afwall main rule screen so they can be allowed/blocked like regular apps.
Attached Thumbnails
Click image for larger version

Name:	Screenshot_20190529-115201_AFWall+.png
Views:	328
Size:	57.8 KB
ID:	4767680   Click image for larger version

Name:	Screenshot_20190529-114754_AFWall+.png
Views:	324
Size:	177.5 KB
ID:	4767682  
The Following User Says Thank You to eriol1 For This Useful Post: [ View ] Gift eriol1 Ad-Free
29th May 2019, 10:58 AM |#5404  
Member
Thanks Meter: 29
 
More
Quote:
Originally Posted by eriol1

Only dual apps.
Did not clone afwall to island.
When dual apps is checked in afwall, cloned apps appear in afwall main rule screen so they can be allowed/blocked like regular apps.

The AFWALL in the Mainland don't see the applications which are not installed in Mainland (only in Island).
It see only dual apps.
I clone AFWALL to Island and this clone see the applications in Island.
But I don't know will the problem be with using two AFWALL (Mainland and Island).
I checked Multi-User opt and selected blacklist mode.
Do I need check Dual App opt in this case?
I have some apps in Mainland, some in Island and some dual (in Mainland & Island).
30th May 2019, 06:46 AM |#5405  
Senior Member
Thanks Meter: 63
 
More
Quote:
Originally Posted by vip5912

The AFWALL in the Mainland don't see the applications which are not installed in Mainland (only in Island).
It see only dual apps.
I clone AFWALL to Island and this clone see the applications in Island.
But I don't know will the problem be with using two AFWALL (Mainland and Island).
I checked Multi-User opt and selected blacklist mode.
Do I need check Dual App opt in this case?
I have some apps in Mainland, some in Island and some dual (in Mainland & Island).

I'm guessing using 2 afwall apps would not work.
Since there is only one iptables in the system, both afwall apps would just overwrite each other's rules every time they apply, so probably the last one to apply would win.
I tried cloning afwall to island to test but I don't seem to have root in island apps and I don't have the patience to figure out how to get it working. I'd rather not have root available for island apps anyway.

I'm not sure why island apps don't appear in afwall (mainland) after being removed from mainland. Might be a bug in afwall or simply an android limitation.
Maybe @ukanth can clarify.
30th May 2019, 11:24 AM |#5406  
Member
Thanks Meter: 29
 
More
Quote:
Originally Posted by eriol1

I'm guessing using 2 afwall apps would not work.
Since there is only one iptables in the system, both afwall apps would just overwrite each other's rules every time they apply, so probably the last one to apply would win.
I tried cloning afwall to island to test but I don't seem to have root in island apps and I don't have the patience to figure out how to get it working. I'd rather not have root available for island apps anyway.

I'm not sure why island apps don't appear in afwall (mainland) after being removed from mainland. Might be a bug in afwall or simply an android limitation.
Maybe @ukanth can clarify.

As I understand there is the multi-user opt for this case. I check this opt in the both afwalls and select blacklist mode (block selected).
Multi-user opt is only for blacklist mode!
Then I check the dual-apps opt off and I see Mainland apps in Mainland afwall and Island apps in Island AFWall
For root right in Island you need check this opt in Magisk setup. You can select use one Magisk Manager for both profiles or use two different Magisk Managers in Mainland and Island.
I use second opt. I clone Magisk Manager to Island. I need root right in Island for some apps (i.e. Migrate for backup Island apps).
1st June 2019, 01:23 AM |#5407  
Senior Member
Thanks Meter: 23
 
More
Quote:
Originally Posted by Estebanium

Can someone tell me the reason for the usage of slashes in ip addresses?
For instance: 224.0.0.0/4

That specifies a CIDR range... a range of IP addresses. It's a way of entering a large range of IP addresses in a very short format.

For example:
# DROP the entire internet
iptables -I afwall -d 0.0.0.0/0 -j DROP
ip6tables -I afwall -d ::/0 -j DROP

That's 4,294,967,296 IPv4 IP addresses, and 340,282,366,920,938,463,463,374,607,431,768,211,45 6 IPv6 IP addresses.

I've used it in my AFWall+ settings to block all of Google's CIDR ranges in my Default firewall profile.

You can find all IP addresses for a company here.

You can aggregate CIDR ranges to minimize your firewall entries here.

In your case, it'd be 224.0.0.1 to 239.255.255.254.
Network = 224.0.0.0
Usable IPs = 224.0.0.1 to 239.255.255.254 for 268435454
Broadcast = 239.255.255.255
Netmask = 240.0.0.0
Wildcard Mask = 15.255.255.255


Quote:
Originally Posted by eriol1

I'm guessing using 2 afwall apps would not work.
Since there is only one iptables in the system, both afwall apps would just overwrite each other's rules every time they apply, so probably the last one to apply would win.
I tried cloning afwall to island to test but I don't seem to have root in island apps and I don't have the patience to figure out how to get it working. I'd rather not have root available for island apps anyway.

I'm not sure why island apps don't appear in afwall (mainland) after being removed from mainland. Might be a bug in afwall or simply an android limitation.
Maybe @ukanth can clarify.

Actually, they could try this:
Set up one AFWall+ to use the system's iptables, and the other to use AFWall+'s built-in iptables.

I haven't tried it, but it should allow the two iptables to co-exist without cross-feeding.
The Following 5 Users Say Thank You to Lusty Rugnuts For This Useful Post: [ View ] Gift Lusty Rugnuts Ad-Free
1st June 2019, 05:17 PM |#5408  
Senior Member
Thanks Meter: 210
 
More
Quote:
Originally Posted by custon3

It's happening to me that when applying rules from the afwal menu,
90% of the time it hangs in the window "status: checking root" and I have to leave the app
force stop and clear cache. I'm not sure if the problem is caused by afwall or by magisk.
afwall + 3.1.0 free, whitelist, custom script, android 9 (mokee9), magisk 18.1.

Checking some logcat I found errors of the widget when I passed the bug when applying the rules.Making tests, after the app was blocked when applying the rules, I launched an afwall widget and pressed one of the options. (afwall was unlocked)
My impression is that there is some conflict between the switch to apply rules and the widget switch.I hope this helps @ukanth to debug this bug.
The Following User Says Thank You to custon3 For This Useful Post: [ View ] Gift custon3 Ad-Free
5th June 2019, 03:16 AM |#5409  
Senior Member
Thanks Meter: 23
 
More
Quote:
Originally Posted by Lusty Rugnuts

Ok, I dove deep on the problem, and figured out that AFWall+ must not like the iptables for this system (Android Nougat 7.0.04.13, rooted with TWRP as bootloader and Magisk as root).

I uninstalled AFWall+ and started fresh.

Under:
AFWall+ Preferences > Experimental Features > Startup directory for script, I set it to /data/adb/service.d/
AFWall+ Preferences > Profiles > I enabled multiple profiles and 'Apply rules on profile switch'.
AFWall+ Preferences > Binaries > Iptables binary, I set it to 'Built-in iptables'.
AFWall+ Preferences > Binaries > BusyBox binary, I set it to 'Built-in BusyBox'.

At the top of my .sh scripts, I'd been using (taken from here):
# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables

I changed it to:
# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=ip6tables
IP4=iptables

And I enabled:
[-12] (tethering) - DHCP+DNS services (dev.afwall.special.tether)
... and aside from Nebulo glitching and not passing DNS requests after an AFWall+ profile change (I have to stop Nebulo and start it for it to work... a bug report is in with the app's developer), everything seems to work!

Still need the auto-flush chain on at least the INPUT chain, though. Maybe the app's dev can hang an auto-flush chain off PREROUTING... blocking incoming packets further upstream means fewer CPU cycles consumed in blocking them, and that's important on a battery-operated device.

{UPDATE}
I've run with the above settings for awhile now, and they're not working correctly. The issues I've had with running the iptables built-in to AFWall+:
1) AFWall+ is very slow to flush and update iptables / ip6tables. It pauses for a long time twice as rules load, and rules loading is painfully slow even between the pauses.

2) Sometimes, AFWall+ reports that it's unable to gain root, then it doesn't load any iptables at all (the Rules window is completely blank) and the firewall disables.

3) Even when AFWall+ does successfully apply the new rules on a change of profile, when I close the AFWall+ window, it shows in the notifications that AFWall+ is applying the rules again. If I then open AFWall+ again and go to the Rules window, the rules are entered twice for each rule. Strangely, it seems it's only doing this for IPv4 rules... running:
adb shell
su
iptables -L
shows the twice-entered rules in the IPv4 iptable, whereas running:
adb shell
su
ip6tables -L
shows the rules don't seem to be twice-entered in the IPv6 iptable.

So I've changed things again:
Under:
AFWall+ Preferences > Experimental Features > Startup directory for script, I set it to /data/adb/service.d/
AFWall+ Preferences > Profiles > I enabled multiple profiles and 'Apply rules on profile switch'.
AFWall+ Preferences > Binaries > Iptables binary, I set it to 'System iptables'.
AFWall+ Preferences > Binaries > BusyBox binary, I set it to 'System BusyBox'.

At the top of my .sh scripts:
# NECESSARY AT THE TOP OF EACH SCRIPT!
IP6=/system/bin/ip6tables
IP4=/system/bin/iptables

Thus far, AFWall+ switches profiles really quickly, and thus far I've not gotten the error dialog stating that AFWall+ couldn't gain root.

I'm using the Stericson BusyBox.

So it appears there are problems with AFWall+'s built-in iptables and busybox. Or perhaps trying to have AFWall+ do everything (manage profiles, wrangle internal iptables, run internal busybox, etc.) was just too much, and things were timing out, but I've got a 1.3 GHz octa-core CPU and the problems haven't appeared using system iptables and system BusyBox, except for the rules duplication issue when the AFWall+ window is closed (described above).
{/UPDATE}

{UPDATE2}
I'm trying something new in the custom scripts... explicitly denoting the path to iptables, even for the built-in AFWall+ iptables:

# NECESSARY AT THE TOP OF EACH SCRIPT!
# NOTE: You must change each {$IP4S | $IP4A | $IP4D} and {$IP6S | $IP6A | $IP6D}
# to reflect your use of System, AFWall+ or AFWall+(Donate version) iptables
# -------------------------
# System iptables
IP6S=/system/bin/ip6tables
IP4S=/system/bin/iptables

# AFWall+ iptables
IP6A=/data/data/dev.ukanth.ufirewall/app_bin/ip6tables
IP4A=/data/data/dev.ukanth.ufirewall/app_bin/iptables

# AFWall+Donate iptables
IP6D=/data/data/dev.ukanth.ufirewall.donate/app_bin/ip6tables
IP4D=/data/data/dev.ukanth.ufirewall.donate/app_bin/iptables
# -------------------------

So for instance, a ruleset for the system's iptables would be:
# DROP invalid packets
$IP4S -A afwall -m state --state INVALID -j DROP
$IP6S -A afwall -m state --state INVALID -j DROP

... whereas for the in-built iptables in the free version of AFWall+, it'd be:
# DROP invalid packets
$IP4A -A afwall -m state --state INVALID -j DROP
$IP6A -A afwall -m state --state INVALID -j DROP

... and for the iptables in the Donate version of AFWall+ it'd be:
# DROP invalid packets
$IP4D -A afwall -m state --state INVALID -j DROP
$IP6D -A afwall -m state --state INVALID -j DROP

I'm going to switch back to using AFWall+'s built-in iptables to see how it works with the above.
{/UPDATE2}

{ASIDE}
Hmmm... I wonder... if I set AFWall+ to use its internal iptables, but explicitly denoted that the rules I load via dot shell script use the system iptables, would that allow the phone to use both iptables, which would mean I could flush INPUT and OUTPUT chains in the system iptables (via the dot shell script) without affecting the AFWall+ iptables?

Because that'd give us a means of INPUT and OUTPUT packet filtering, whereas now we only have OUTPUT packet filtering (via the 'afwall' chain). Which means we could block scans, exploits, etc.

Must experiment.
{/ASIDE}
The Following 2 Users Say Thank You to Lusty Rugnuts For This Useful Post: [ View ] Gift Lusty Rugnuts Ad-Free
6th June 2019, 06:53 PM |#5410  
Junior Member
Thanks Meter: 0
 
More
Does anyone have any idea why AFWall+ doesn't work for me? It instantly blocks everything (internet simply doesn't work anymore, both on wifi and mobile data). I tried restarting it, rebooting, tried enabling it in Xposed module (Magisk's EdXposed) but no success. I don't even have to select anything from the menu, as soon as I enable firewall internet access is just gone (for all apps, browsers...). I tried installing multiple versions (including paid one) but it's all the same. Tried changing binaries but nothing works, as soon as I enable it internet is gone no matter what I do. I have Xiaomi mi 9 on MIUI10 (android pie) running custom ROM (Xiaomi.eu latest weekly version) but I did also try to run this app on few weeks older versions with same results. Does anyone have any idea what is happening? I haven't seen anyone having this problem.
6th June 2019, 07:30 PM |#5411  
Recognized Contributor
Thanks Meter: 2,941
 
More
Quote:
Originally Posted by squid2g

Does anyone have any idea why AFWall+ doesn't work for me? It instantly blocks everything (internet simply doesn't work anymore, both on wifi and mobile data). I tried restarting it, rebooting, tried enabling it in Xposed module (Magisk's EdXposed) but no success. I don't even have to select anything from the menu, as soon as I enable firewall internet access is just gone (for all apps, browsers...). I tried installing multiple versions (including paid one) but it's all the same. Tried changing binaries but nothing works, as soon as I enable it internet is gone no matter what I do. I have Xiaomi mi 9 on MIUI10 (android pie) running custom ROM (Xiaomi.eu latest weekly version) but I did also try to run this app on few weeks older versions with same results. Does anyone have any idea what is happening? I haven't seen anyone having this problem.

When you start AFWall look on top at the icon next to the search icon. The one with 3 horizontal bars and a check mark. Click on that. Which option is checked?
The Following User Says Thank You to jcmm11 For This Useful Post: [ View ] Gift jcmm11 Ad-Free
Post Reply Subscribe to Thread

Tags
block internet, droidwall, firewall, iptables, security

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes